CCCHH Wiki

User Tools

Site Tools

You are here: start » infrastructure » services » keycloak
infrastructure:services:keycloak

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
infrastructure:services:keycloak [2024-03-08 00:32 UTC] – only mention matrix channel and also describe offline flow for account creation juneinfrastructure:services:keycloak [2024-04-24 20:46 UTC] (current) – Document the desired permission & configuration structure. Also mark it as such and further mark the Attributes section as ToDo and the RBAC section as NEEDS REVISION. june
Line 76: Line 76:
  
 Außerdem ist wichtig, dass Keycloak allen Usern die "user"-Gruppe vom Dokuwiki zuweist. Außerdem ist wichtig, dass Keycloak allen Usern die "user"-Gruppe vom Dokuwiki zuweist.
 +
 +==== Permission & Configuration Structure ====
 +
 +THIS IS THE DESIRED STATE AND NOT HOW IT WORKS IN PRACTICE YET.
 +
 +This section tries to give insight into how the groups, roles, client roles and attributes work to form a  permission and configuration structure for our realm and its clients.
 +
 +=== Groups ===
 +
 +Groups act like profiles, which one can apply to users.
 +
 +Example:
 +  * The ''user'' group should give access to all the clients and resources all users should have access to.
 +  * The ''intern'' group on the other hand should give further access to clients and resources, only internal members should have access to.
 +  * Same thing for groups like ''freifunk'', ''admin'' and so on.
 +
 +Important to note here is that the groups themselves aren't used directly for access to clients/to grant permissions in any client. The group just holds the relevant client roles and attributes for granting access to clients/to grant permissions in any clients. \\
 +This way of having the groups act like general profiles, but having the actual configuration of permissions achieved using client roles, decouples them both nicely. \\
 +This then allows for special use cases like the wiki user for example, which isn't in any group, but still has access to certain clients and resources through manual assignment of client roles.
 +
 +=== Roles ===
 +
 +We don't make use of roles, since they are mostly the same as groups it seems. Further configuration beyond groups is achieved using client roles and attributes.
 +
 +=== Client Roles ===
 +
 +Client roles are used to configure client-specific user permissions.
 +
 +Example: There exists a ''(wiki) intern'' client role, which then gets mapped to the wikis ''intern'' group. Users, who have this role assigned in Keycloak are then automatically part of the wikis ''intern'' group and can access the relevant resources.
 +
 +=== Attributes ===
 +
 +ToDo
  
 ==== RBAC ==== ==== RBAC ====
 +
 +NEEDS REVISION
  
 Für alle nicht-Keycloak-internen Clients haben wir nun auch Role Based Access Control. Für alle nicht-Keycloak-internen Clients haben wir nun auch Role Based Access Control.
infrastructure/services/keycloak.txt · Last modified: 2024-04-24 20:46 UTC by june
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki